MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 10


Intelligence 10 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7
SHA3-384 hash: 4a5643113b14de71891077ff9f3a6e32a102194136d3573f3d73698f206e3e73e9bf0f42069091e1ee1d8487c0eca755
SHA1 hash: 76e1b529353b324f22d26af96535f0bc183c3a68
MD5 hash: 42bb6b0931c9af2a992e01d9b338ce1d
humanhash: lemon-yankee-autumn-aspen
File name:x86_64
Download: download sample
Signature Mirai
Create hunting rule
File size:63'280 bytes
First seen:2025-07-24 23:52:47 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:LdhUhK08GRSazherwO6XjVHsDv6+BO2mHqxpe/0e7M2b2mXPo:ZhUhX86bzhtL5Hyv6+jmHIpePg2b2m/o
TLSH T101533A17B540C0FCC49AC1B4572EBA7AE6B375BD0238B2BD77D4EA12BD49E201E5E600
telfhash t1bd214cf275780d50e0d7e576b70af52819601d2018f175f6dafa64b7eb317820a78c27
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence

File Origin
# of uploads :
1
# of downloads :
20
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Unix.Trojan.Mirai-9951087-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Receives data from a server
Creating a file
Runs as daemon
Mounts file systems
Opens a port
Kills processes
Sends data to a server
Connection attempt
Substitutes an application name
Kills critical processes
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6882c7707bc45bdee1b86186/reports/7ca37ad1-bc1f-4312-bace-865141ed8559/overview
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/be95bc62-e510-437a-a5f6-81df03fdd34a
Behavior Graph:
Download SVG
%3 guuid=d2c7ddb9-1900-0000-e61b-c93a80090000 pid=2432 /usr/bin/sudo guuid=a8f45dbc-1900-0000-e61b-c93a8a090000 pid=2442 /tmp/sample.bin net guuid=d2c7ddb9-1900-0000-e61b-c93a80090000 pid=2432->guuid=a8f45dbc-1900-0000-e61b-c93a8a090000 pid=2442 execve 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=a8f45dbc-1900-0000-e61b-c93a8a090000 pid=2442->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444 /home/sandbox/ dns net send-data zombie guuid=a8f45dbc-1900-0000-e61b-c93a8a090000 pid=2442->guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444 clone guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con ac0b4284-2aa4-5c89-80a0-995c690355af 81.169.136.222:53 guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444->ac0b4284-2aa4-5c89-80a0-995c690355af send: 30B b7f22dff-36ca-56fe-b940-e18740a057c3 bunnybots.ru:38241 guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444->b7f22dff-36ca-56fe-b940-e18740a057c3 send: 7B guuid=c7a0acbc-1900-0000-e61b-c93a8d090000 pid=2445 /home/sandbox/ guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444->guuid=c7a0acbc-1900-0000-e61b-c93a8d090000 pid=2445 clone guuid=84234b25-2400-0000-e61b-c93abe090000 pid=2494 /home/sandbox/. net send-data guuid=46309abc-1900-0000-e61b-c93a8c090000 pid=2444->guuid=84234b25-2400-0000-e61b-c93abe090000 pid=2494 clone c9788885-e70a-5a5c-af62-5a71b9e848d8 16.24.8.203:9040 guuid=84234b25-2400-0000-e61b-c93abe090000 pid=2494->c9788885-e70a-5a5c-af62-5a71b9e848d8 send: 5981620B guuid=40056125-2400-0000-e61b-c93abf090000 pid=2495 /home/sandbox/. guuid=84234b25-2400-0000-e61b-c93abe090000 pid=2494->guuid=40056125-2400-0000-e61b-c93abf090000 pid=2495 clone
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/791de402-b374-4ce2-841d-875746163925
Result
Threat name:
Mirai
Create hunting rule
Detection:
malicious
Classification:
spre.troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1743811
Signature
Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Yara detected Mirai
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1743811 Sample: x86_64.elf Startdate: 25/07/2025 Architecture: LINUX Score: 84 150 Malicious sample detected (through community Yara rule) 2->150 152 Antivirus / Scanner detection for submitted sample 2->152 154 Multi AV Scanner detection for submitted file 2->154 156 Yara detected Mirai 2->156 14 systemd gdm3 2->14         started        16 x86_64.elf 2->16         started        18 systemd gpu-manager 2->18         started        20 31 other processes 2->20 process3 file4 24 gdm3 gdm-session-worker 14->24         started        26 gdm3 gdm-session-worker 14->26         started        36 3 other processes 14->36 28 x86_64.elf 16->28         started        30 gpu-manager sh 18->30         started        32 gpu-manager sh 18->32         started        38 6 other processes 18->38 148 /var/log/wtmp, data 20->148 dropped 160 Sample reads /proc/mounts (often used for finding a writable filesystem) 20->160 162 Reads system files that contain records of logged in users 20->162 34 accounts-daemon language-validate 20->34         started        40 3 other processes 20->40 signatures5 process6 process7 42 gdm-session-worker gdm-x-session 24->42         started        44 gdm-session-worker gdm-wayland-session 26->44         started        46 x86_64.elf 28->46         started        48 x86_64.elf 28->48         started        56 2 other processes 28->56 50 sh grep 30->50         started        52 sh grep 32->52         started        54 language-validate language-options 34->54         started        59 6 other processes 38->59 signatures8 61 gdm-x-session dbus-run-session 42->61         started        63 gdm-x-session Xorg Xorg.wrap Xorg 42->63         started        65 gdm-x-session Default 42->65         started        67 gdm-wayland-session dbus-run-session 44->67         started        69 x86_64.elf 46->69         started        72 x86_64.elf 48->72         started        74 language-options sh 54->74         started        172 Sample tries to kill multiple processes (SIGKILL) 56->172 76 x86_64.elf 56->76         started        process9 signatures10 78 dbus-run-session dbus-daemon 61->78         started        81 dbus-run-session gnome-session gnome-session-binary 1 61->81         started        83 Xorg sh 63->83         started        85 Xorg sh 63->85         started        87 dbus-run-session dbus-daemon 67->87         started        89 dbus-run-session gnome-session gnome-session-binary 1 67->89         started        166 Sample tries to kill multiple processes (SIGKILL) 69->166 91 sh locale 74->91         started        93 sh grep 74->93         started        process11 signatures12 174 Sample tries to kill multiple processes (SIGKILL) 78->174 176 Sample reads /proc/mounts (often used for finding a writable filesystem) 78->176 95 dbus-daemon 78->95         started        97 dbus-daemon 78->97         started        106 8 other processes 78->106 99 gnome-session-binary sh gnome-shell 81->99         started        108 16 other processes 81->108 102 sh xkbcomp 83->102         started        104 sh xkbcomp 85->104         started        110 7 other processes 87->110 112 2 other processes 89->112 process13 signatures14 114 dbus-daemon at-spi-bus-launcher 95->114         started        116 dbus-daemon gjs 97->116         started        158 Sample reads /proc/mounts (often used for finding a writable filesystem) 99->158 119 gnome-shell ibus-daemon 99->119         started        129 8 other processes 106->129 121 gnome-session-check-accelerated gnome-session-check-accelerated-gl-helper 108->121         started        123 gnome-session-check-accelerated gnome-session-check-accelerated-gles-helper 108->123         started        125 dbus-daemon false 110->125         started        127 dbus-daemon false 110->127         started        131 5 other processes 110->131 process15 signatures16 133 at-spi-bus-launcher dbus-daemon 114->133         started        164 Sample reads /proc/mounts (often used for finding a writable filesystem) 116->164 136 ibus-daemon 119->136         started        138 ibus-daemon ibus-memconf 119->138         started        140 ibus-daemon ibus-engine-simple 119->140         started        process17 signatures18 168 Sample tries to kill multiple processes (SIGKILL) 133->168 170 Sample reads /proc/mounts (often used for finding a writable filesystem) 133->170 142 dbus-daemon 133->142         started        144 ibus-daemon ibus-x11 136->144         started        process19 process20 146 dbus-daemon at-spi2-registryd 142->146         started       
Score:
100%
Verdict:
Malware
File Type:
ELF
Link:
https://malprob.io/report/5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7/
Verdict:
Malicious
Threat:
HEUR:Backdoor.Linux.Mirai
Link:
https://tip.neiki.dev/file/5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7
Threat name:
Linux.Backdoor.Mirai
Create hunting rule
Status:
Malicious
First seen:
2025-07-24 23:53:22 UTC
File Type:
ELF64 Little (Exe)
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kyukct4ihaywnkfqb5vjhhmyc76tzvkkb3mslititmqyvi6ztg3q._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai defense_evasion discovery linux
Link:
https://tria.ge/reports/250724-3xfd2afn3w/
Behaviour
Reads runtime system information
Changes its process name
Reads system network configuration
Enumerates active TCP sockets
Enumerates running processes
Writes file to system bin folder
Modifies Watchdog functionality
Renames itself
Unexpected DNS network traffic destination
Verdict:
Malicious
Tags:
trojan gafgyt mirai Unix.Trojan.Mirai-7640640-0
YARA:
Linux_Trojan_Gafgyt_9e9530a7 Linux_Trojan_Gafgyt_807911a2 Linux_Trojan_Gafgyt_d4227dbf Linux_Trojan_Gafgyt_d996d335 Linux_Trojan_Gafgyt_620087b9 Linux_Trojan_Gafgyt_33b4111a Linux_Trojan_Mirai_520deeb8 Linux_Trojan_Mirai_01e4a728 Linux_Trojan_Mirai_e0cf29e2
Link:
https://app.threat.zone/submission/a0e7a412-33b7-4f23-ba18-67569610e204
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.06
Link:
https://yomi.yoroi.company/submissions/5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Trojan_Gafgyt_33b4111a
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_620087b9
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_807911a2
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_9e9530a7
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d4227dbf
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Gafgyt_d996d335
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_01e4a728
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_520deeb8
Create hunting rule
Author:Elastic Security
Rule name:Linux_Trojan_Mirai_e0cf29e2
Create hunting rule
Author:Elastic Security
Rule name:MatchByteSequence
Create hunting rule
Author:Generated by ChatGPT
Description:Rule to match specific byte sequence: 89 C8 C1 E8 08 31 D1 31 C8
Rule name:unixredflags3
Create hunting rule
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 5628a14f88383166a8b00f6a939d9817fd3cd54a0ed925a2689b218aa3d999b7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3585552/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments